Nimbus Direct Insurance — Risk Management Framework
The enterprise risk-management approach, the risk-appetite statement, and the principal risks and mitigation across underwriting, market, operational, regulatory and strategic risks.
Section 12 · Business Plan
Risk Management Framework
The enterprise risk-management approach, the risk-appetite statement, and the principal risks and mitigation across underwriting, market, operational, regulatory and strategic risks.
12.1 Enterprise Risk Management Approach
Nimbus’s Enterprise Risk Management (ERM) framework is designed to
identify, measure, monitor and respond to risks across all material
categories, in alignment with Prudential Authority Prudential Standards
GOI 3 (Risk Management and Internal Controls), GOI 3.1 (Risk Management
— Risk Categories), and IAIS Insurance Core Principle 8. The ERM
Framework operates through five reinforcing components: (1) Risk
Strategy, (2) Risk Appetite, (3) Risk Identification & Assessment,
(4) Risk Monitoring & Reporting, and (5) Risk Response.
12.2 Risk Appetite Statement (Summary)
The Board will adopt and annually review a formal Risk Appetite
Statement. Indicative limits include:
| Risk Category | Appetite / Tolerance | Trigger Action |
|---|---|---|
| Solvency Capital Coverage (SCR) | Target ≥ 150%; Minimum ≥ 130% | Capital actions plan; restricted dividend |
| Combined Ratio (12-month rolling) | Target ≤ 95%; Tolerance ≤ 102% | Pricing review within 30 days |
| Loss Ratio (motor) | Target ≤ 60%; Tolerance ≤ 68% | Underwriting tightening |
| Catastrophe single-event net loss | ≤ ZAR 30M after reinsurance | Reinsurance review and risk-grid recalibration |
| Investment portfolio drawdown (12m) | ≤ 8% across insurance funds | ALCO review; tactical re-allocation |
| Operational loss events (annual) | < ZAR 25M aggregate | Root-cause analysis; control remediation |
| Cyber security incidents (Tier 1+) | Zero tolerance | Immediate CIRT activation; regulator notification |
12.3 Principal Risks & Mitigation
Underwriting Risk
The largest single risk category. Mitigants: (i) the four-layer
pricing architecture (Section 9.2); (ii) the reinsurance programme
(Section 5.4); (iii) the catastrophe risk management approach (Section
9.5); (iv) monthly underwriting committee review of segment-level loss
ratios; (v) automatic price-adjustment triggers when loss ratios deviate
materially from plan.
Reserving Risk
Risk that technical provisions are inadequate for ultimate claim
cost. Mitigants: chain-ladder and Bornhuetter-Ferguson methodologies,
IFRS 17 risk adjustment at 75th percentile, quarterly Actuarial Function
review, annual external peer review, prudent assumption setting with
explicit margins for adverse deviation in newer lines.
Market & Investment Risk
Investment portfolio drawdown risk. The Nimbus investment policy
emphasises capital preservation: at Year 1, 75% of insurance funds will
be invested in money-market and short-duration government bonds, 15% in
investment-grade corporate bonds, 10% in JSE Top 40 equity ETF. The
Asset-Liability Committee (ALCO) meets monthly to review duration,
liquidity, and asset-liability mismatch.
Credit & Counterparty Risk
Concentration on reinsurer counterparties is monitored under the SAM
counterparty default risk module. Reinsurance treaties are diversified
across multiple Tier 1 counterparties (Munich Re S&P AA-, Swiss Re
AA-, Hannover Re AA-, Africa Re A) with explicit limits on
per-counterparty exposure.
Liquidity Risk
Mitigated through a Liquidity Risk Management Policy requiring (i)
cash and money-market instruments ≥ 30% of total assets at all times,
(ii) a Contingency Funding Plan, and (iii) quarterly liquidity stress
tests covering scenarios including catastrophe event, mass-lapse event,
and reputational shock.
Operational Risk
Includes fraud, systems failure, third-party failure, and people
risk. Mitigated through: (i) a formal Operational Risk Management
Framework with risk-control self-assessments, loss event database, key
risk indicators; (ii) business continuity planning with annual
exercises; (iii) vendor risk management framework (Section 8.4); (iv)
workforce planning and succession framework.
Cyber & Information Security Risk
Material and growing risk given the digital-first business model.
Mitigated through: ISO 27001 certification, NIST CSF v2.0 alignment,
multi-factor authentication, zero-trust network architecture, weekly
threat-intelligence reviews, quarterly penetration testing, annual
red-team exercises, cyber insurance covering up to ZAR 200 million of
first- and third-party loss.
Regulatory & Compliance Risk
Mitigated through the three-lines-of-defence model (Section 10.4),
proactive regulator engagement, dedicated regulatory-change monitoring,
and a Compliance Programme aligned to PA, FSCA, NBFIRA, FIC, and POPIA
requirements.
Strategic Risk
Risk of strategic missteps, competitor response, or macro-environment
change. Mitigated through quarterly strategy review by the Executive
Committee, annual scenario planning, and a defined
competitive-intelligence function within the Marketing team.
12.4 Stress Testing
The Company will conduct formal stress tests at least annually as
part of the ORSA process, covering at minimum:
- Severe combined ratio scenario (1-in-20-year loss experience
across motor and property). - Catastrophe scenario (1-in-200-year event).
- Market shock scenario (equity market down 30%, bond yields up
200bps). - Combined adverse scenario (concurrent insurance and market
stress). - Reverse stress test (identification of the scenario that would
render the business model unviable).
Confidential — this business plan is provided to prospective investors and lenders for evaluation purposes only and may not be reproduced or distributed without the written consent of Nimbus Direct Insurance Group (Pty) Ltd.